The Goal Of A Csirt Investigation

980 WordsJun 21, 20164 Pages
The goal of a CSIRT investigation is to discover who perpetrated the incident, and the time and location it occurred. The CSIRT should send notifications about the incident by means of in-band communication such as emails, IM, web-sites, and additionally some type of out-of-band communication, such as face-to-face meetings (Cichonski, Paul ; Millar, Tom; Grance , Tim; Scarfone , Karen, 2012). The analysis of this incident shows the attack had a narrow target, focusing on the HR and Payroll systems. The motive was money, and the attack vector was improper usage and deception (spoofing). In order to minimize the impact of this incident the CSIRT have three basic strategies for containment; disconnect the affected systems from the network, shutdown everything or continue to allow the system (which would include allowing the rogue employee have access) and monitor anomalies in the affected systems (HR, Payroll). Disconnecting (blocking) the affected systems (workstations) and the employee or monitoring affected systems) HR, Payroll) would be one of the first steps taken to contain this incident. With input and guidance from legal, HR and IT, the CSIRT should immediately start gathering evidence, following generally accepted forensics procedures. This includes documenting everything, starting with the condition of the workspace and status of the computers. The CSIRT should collected and store the information from each of the affected system’s memory, storage drives, network

More about The Goal Of A Csirt Investigation

Open Document